Vulnerabilities found in major password managers expose user vaults

Researchers identified 27 successful attack scenarios targeting four of the most widely used cloud-based password managers, potentially exposing millions of stored passwords.

What happened

Security researchers developed 27 successful attack scenarios against Bitwarden, LastPass, Dashlane, and 1Password. The attacks ranged from integrity violations to full vault compromise and directly challenged each provider's claims of "zero-knowledge encryption.” Researchers published their findings in a peer-reviewed paper on February 16, 2026, and will present them at the USENIX Security Symposium in Baltimore in August 2026. In total, Bitwarden faced 12 distinct attack scenarios, LastPass faced seven, Dashlane faced six, and 1Password faced two. All three vendors confirmed that remediation is underway following a coordinated 90-day disclosure process.

The backstory

This is not the first time these password managers have come under scrutiny. In August 2025, independent researcher Marek Tóth presented a clickjacking attack at DEF CON 33 capable of stealing passwords, two-factor authentication codes, and credit card details from six major password managers, including 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce.

The attack exploited the autofill capabilities of browser-based password manager extensions by using opacity settings or overlays to hide password manager controls, then tricking users into clicking them through fake pop-ups or CAPTCHAs. Tóth had notified affected companies in April 2025, ahead of public disclosure. At the time of that disclosure, several password managers remained unpatched, with LastPass and LogMeOnce still working on fixes. Dashlane, NordPass, ProtonPass, RoboForm, and Keeper had all been patched against that specific attack.

Going deeper

The 27 attacks fell into four categories based on the password manager feature they exploited:

• Key escrow - Four successful attacks (three against Bitwarden, one against LastPass) compromised the full vault through unauthenticated key escrow and account recovery features.
• Vault encryption - Eleven successful attacks exploited flawed item-level encryption, enabling integrity violations, metadata leakage, field swapping, and key derivation function (KDF) downgrade attacks. Five hit LastPass, four hit Bitwarden, one hit Dashlane, and one hit 1Password.
• Sharing - Five attacks exploited unauthenticated public keys to compromise organization and shared vaults, hitting all four providers.
• Backwards compatibility - Seven attacks exploited legacy encryption pathways to enable confidentiality loss and brute-force attacks. Four hit Dashlane, three hit Bitwarden.

One specific example was a "malicious auto-enrolment" attack against Bitwarden, in which an attacker controlling a server could silently hijack a user's vault the moment they accepted an organization invitation. The attack unfolded in three steps; the attacker intercepts the onboarding request and replaces the server's response with a forged public key and tampered policy; the client unknowingly encrypts the user's master key under the attacker's key; and the attacker decrypts the ciphertext, gaining full access to all stored passwords, notes, and sensitive data.

What was said

Kenneth Paterson, professor at ETH Zurich's Department of Computer Science and lead author of the paper, said that his team was "surprised by the severity of the security vulnerabilities." He noted that his team had previously discovered similar vulnerabilities in other cloud-based services but had "assumed a significantly higher standard of security for password managers due to the critical data they store." He added, "Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before."

Why it matters

A flaw in a password manager is categorically different from a flaw in a single application because a successful attack gives an adversary access across a victim's entire digital life, or in enterprise settings, across an entire organization.

What makes these findings concerning is that they don't require clicking a phishing link or using a weak master password. Several of the attack scenarios require only that a server manipulate what the client receives. Users following every best practice could still be exposed.

The bottom line

Password managers remain among the most effective tools for managing credential security, but this research makes clear that "zero-knowledge encryption" requires scrutiny, not blind trust. Users of Bitwarden, LastPass, and Dashlane should verify the remediation status of identified vulnerabilities directly with their provider. Organizations evaluating password managers should ask providers directly how they protect vault integrity in the event of a server compromise.

FAQs

Should I stop using my password manager until these vulnerabilities are patched?

No, the researchers confirmed that passwords remain safe as long as providers are not actively compromised or acting maliciously.

Does using a stronger master password protect me from these attacks?

Not necessarily, because several of the attack scenarios operate at the server level and do not depend on the strength of a user's master password.

Does multi-factor authentication add any protection against these types of attacks?

Multi-factor authentication protects the login process but does not address the cryptographic vulnerabilities identified at the vault and encryption level that this research exposed.